Skip to main content

Analyze scan results

A scan observes the data flow in an application and reports vulnerabilities that it discovers.

After you analyze the results, update your code and run the scan again to verify the vulnerability is fixed.


Contrast provides a score for each scan that represents the potential security risk for an application:

  • Scoring is not dynamic. To see updated scores after updating code, run the scan again.

  • Scoring uses the standard scoring methodology described in the Contrast application scoring guide.

Before you begin

Contrast Scan vulnerability workflow provides guidelines for managing vulnerabilities that Contrast Scan reports.


After a scan completes, you can view information on vulnerabilities, the name of the project creator, and the name of the person who ran each scan.

  1. Select Scans in the header.

    The Scans page shows a list of scan projects..

  2. Select a scan project.

  3. On the Overview tab, view a summary of the scan results as well as a list of scans in the project.

    This image shows the details of a scan project in the Overview tab.

    The summary section shows these details:

    • Score: A letter grade that represents the potential security risk for application based on the most recent scan in the project.

    • Vulnerabilities: The number of vulnerabilities discovered in the most recent scan.To see details about discovered vulnerabilities, select the number.

    • New Vulnerabilities: The number of new vulnerabilities discovered in the most recent scan. This value excludes vulnerabilities that previous scans discovered and are not fixed.

      For example:

      If Scan 1 discovered three vulnerabilities:

      • The number of vulnerabilities is three.

      • The number of new vulnerabilities is also three.

      If code modifications introduce a new vulnerability but do not fix existing vulnerabilities, when you run Scan 2:

      • The vulnerabilities number changes to four (all discovered vulnerabilities).

      • The new vulnerabilities number becomes one (the new one discovered in Scan 2).

      To see details about new vulnerabilities, select the number.

    • Remediated: The number of vulnerabilities that are fixed by changing source code or configuration files within the application.

      To see details about remediated vulnerabilities, select the number.

    • Scans completed: The number of scans completed in the project.

      To see details about completed scans, select the number.

    • Days since last scan: The number of days since the last scan completed.

    The Scan history shows these details:

    • Vulnerabilities: A bar that shows the different types of detected vulnerabilities for a scan.

      To view a filtered list of a specific type of vulnerability, select a section of the bar.

    • Label: The label associated with the scan.

      To view additional scan details, select the label.

    • Scan date The date the scan completed.

    • Name: The name of the person who ran the scan.

    • Language: The languages detected in the scanned code.

    • Coverage: A link to additional scan details.

    To export the results to a SARIF file, select the Download icon ( icon-download.svg) at the end of a scan's row.

  4. To view more information about a specific vulnerability, select the Vulnerabilities tab and select the vulnerability.

    Image shows the details for a specific vulnerability found in a scan.
    • The Overview tab for the selected vulnerability shows a description of the vulnerability, including what happened in your code and the risk associated with the vulnerability.

    1. To view the details about the vulnerability and its location in your code, select the Details tab:

      • The method where a vulnerability exists.

      • The file where the scan discovered the vulnerability.

      • The first line in the code where the scan discovered the vulnerability.

    2. To view suggestions for fixing the code, select the How to fix tab.

    3. To view additional details about the vulnerability, select the Notes tab for these details:

      • When the vulnerability is detected

      • The code module where Contrast found the vulnerability

      • The type of vulnerability (for example, injection)

      • Severity

      • Risk confidence

      • Security standards that apply to the vulnerability

    4. To view vulnerability activity, select the Activity tab for these details:

      • The user who made changes

      • Vulnerability status changes

      • Comments

See also

View scan details